In January 2025, the European Banking Authority published final guidelines on the management of ESG risks requiring all EU credit institutions to integrate environmental, social, and governance factors into their risk management frameworks.
A month earlier, California’s SB 253 locked in mandatory Scope 1 and 2 emissions reporting from January 2026 for companies exceeding USD 1 billion in revenue. Meanwhile, the ISSB’s IFRS S1 and S2 sustainability disclosure standards are now adopted or in progress in 36 jurisdictions covering over half of global GDP.
These are not distant regulatory horizons. They are live compliance obligations. And they share a common thread: ESG risk is no longer a side project for the sustainability team. It is an enterprise-level discipline that requires the same rigour as credit risk, market risk, or operational risk, with structured identification, quantified assessment, board-level governance, and auditable reporting.
This guide walks you through what ESG risk management actually means in practice, the three risk pillars (environmental, social, and governance), the regulatory frameworks driving disclosure, a six-step assessment process you can implement, KRIs and metrics for your risk dashboard, and the common mistakes that derail ESG programmes.
If you are a risk manager, compliance officer, or board member preparing for mandatory ESG disclosure, this article gives you the practitioner roadmap.
What Is ESG Risk Management?
ESG risk management is the systematic process of identifying, assessing, mitigating, and reporting risks arising from environmental, social, and governance factors that could affect an organisation’s financial performance, reputation, regulatory standing, or long-term viability.
It extends traditional enterprise risk management by adding three dimensions that were previously treated as non-financial or reputational concerns but are now recognised as material business risks.
The COSO ERM Framework and its 2018 guidance on applying ERM to ESG-related risks provide the methodological bridge: ESG risks follow the same identify-assess-respond-monitor lifecycle as any other enterprise risk.
The difference is that ESG risks often operate across longer time horizons (climate transition risk may materialise over decades), involve complex stakeholder dynamics (social licence to operate), and are subject to a rapidly evolving regulatory landscape that varies by jurisdiction.
Why ESG Risk Management Matters Now
- Regulatory mandate: ISSB standards (IFRS S1/S2), the EU Corporate Sustainability Reporting Directive (CSRD), California SB 253/SB 261, and EBA guidelines are converting voluntary ESG reporting into mandatory, auditable disclosure.
- Financial materiality: Climate-related losses reached USD 380 billion globally in 2024. Social risks such as labour disputes and supply chain human rights violations directly affect earnings, insurance costs, and capital access.
- Investor pressure: Over 90 percent of S&P 500 companies now publish sustainability reports. Asset managers representing over USD 120 trillion in assets are signatories to the UN Principles for Responsible Investment and integrate ESG factors into investment decisions.
- Reputational exposure: Greenwashing enforcement actions are rising. The EU’s Green Claims Directive and SEC scrutiny of misleading ESG fund labels mean that superficial ESG commitments carry real legal risk.
The Three Pillars of ESG Risk
ESG risk management covers three interconnected categories. Each requires distinct identification methods, assessment criteria, and mitigation strategies, but they share a common governance and reporting infrastructure.
Environmental Risk
Environmental risk encompasses the threats that climate change, resource depletion, pollution, and biodiversity loss pose to an organisation’s operations, supply chain, and financial position. Regulators and standard-setters divide environmental risk into two sub-categories:
- Physical risk: Direct damage from acute events (floods, wildfires, hurricanes) or chronic shifts (sea-level rise, water scarcity, temperature increases) that affect facilities, supply chains, and insurance costs.
- Transition risk: Financial exposure from the shift to a lower-carbon economy, including policy changes (carbon pricing, emissions caps), technology shifts (stranded fossil fuel assets), market shifts (consumer preference for sustainable products), and reputational shifts (stakeholder expectations for climate action).
The ISSB IFRS S2 Climate-related Disclosures standard requires organisations to disclose physical and transition risks, Scope 1, 2, and 3 greenhouse gas emissions, climate scenario analysis, and the financial impact of climate risks on strategy and business model.
Social Risk
Social risk covers the threats arising from how an organisation treats its workforce, its supply chain, its customers, and the communities it operates in. Social risks are harder to quantify than environmental risks, but they can be equally devastating when they materialise.
- Workforce risks: Labour rights violations, workplace safety incidents, pay equity gaps, lack of diversity and inclusion, and employee turnover that erodes institutional knowledge.
- Supply chain risks: Modern slavery, child labour, unsafe working conditions, and human rights violations within supplier networks. The EU Corporate Sustainability Due Diligence Directive (CSDDD) makes companies liable for adverse impacts in their value chains.
- Customer and community risks: Data privacy breaches, product safety failures, predatory practices, and failure to engage with affected communities around operational sites.
Social risks often cascade: a workforce safety incident triggers regulatory investigation, media scrutiny, customer boycotts, and ultimately shareholder value destruction. The lesson from incidents like the Rana Plaza collapse and the Boohoo supply chain scandal is that social risks are financial risks.
Governance Risk
Governance risk relates to the structures, processes, and behaviours through which an organisation is directed, controlled, and held accountable. Governance failures are frequently the root cause of environmental and social risk failures, making this pillar the foundation of the entire ESG framework.
- Board oversight: Lack of board-level ESG expertise, insufficient diversity, inadequate independence, and failure to integrate ESG into strategic decision-making.
- Ethics and integrity: Bribery, corruption, fraud, conflicts of interest, and inadequate whistleblower protections.
- Executive accountability: Misaligned incentive structures where executive compensation is disconnected from sustainability performance. ISSB governance requirements now call for ESG metrics in remuneration frameworks.
- Disclosure and transparency: Greenwashing, inconsistent reporting across channels (sustainability report vs 10-K vs investor presentations), and inadequate internal controls over ESG data.
The ESG Regulatory Landscape: What You Need to Know
The regulatory environment for ESG risk has shifted from voluntary to mandatory at an unprecedented pace. Here are the frameworks and regulations that matter most for US-focused organisations.
| Framework / Regulation | Jurisdiction | Key Requirements | Status (Feb 2026) |
| ISSB IFRS S1/S2 | Global (36 jurisdictions) | Climate and general sustainability disclosure, Scope 1/2/3, scenario analysis | Live in adopting jurisdictions; assurance required from 2025 |
| EU CSRD + ESRS | European Union | Double materiality, 12 ESRS standards, value chain reporting | Phase-in: large companies from Jan 2024, smaller from Jan 2026 |
| California SB 253/261 | US (California) | SB 253: Scope 1/2 from 2026, Scope 3 from 2027; SB 261: climate risk disclosure | Implementation proceeding despite legal challenges |
| SEC Climate Rule | US (Federal) | GHG emissions, climate risk governance, financial impact disclosure | Withdrawn after litigation; no federal mandate in effect |
| EU CSDDD | European Union | Human rights and environmental due diligence across value chains | Transposition deadline: July 2026 |
| EBA ESG Risk Guidelines | EU (Banking) | Integration of ESG risks into credit, market, liquidity, and operational risk frameworks | Final guidelines published Jan 2025; compliance expected 2025-2026 |
The overarching trend: TCFD’s four-pillar structure (Governance, Strategy, Risk Management, Metrics and Targets) has become the global reporting architecture.
ISSB IFRS S2 builds directly on TCFD, and both the CSRD and California’s legislation reference the same pillars. Organisations that structure their ESG risk management around these four pillars will be positioned to meet any jurisdictional requirement.
Six-Step ESG Risk Assessment Process
The following process integrates ESG risk assessment into your existing enterprise risk management framework. It follows the same identify-assess-evaluate-treat-monitor lifecycle used for traditional risks, adapted for ESG-specific considerations.
Step 1: Identify ESG Risks by Category and Value Chain
Map your organisation’s ESG risk universe across all three pillars (E, S, and G) and across the entire value chain: upstream (suppliers, raw materials), own operations (facilities, workforce), and downstream (products, customers, end-of-life).
Use industry-specific frameworks like SASB Standards to identify financially material ESG topics for your sector.
Conduct workshops with cross-functional teams (risk, compliance, operations, procurement, HR, sustainability) and external stakeholders. Review industry peer disclosures, regulatory registers, and ESG rating agency assessments to ensure completeness.
Deliverable: ESG risk universe register organised by E, S, G category and value chain position.
Step 2: Conduct Double Materiality Assessment
Determine which ESG risks are material from two perspectives: financial materiality (how ESG factors affect the company’s financial position) and impact materiality (how the company’s activities affect people and the environment). The EU CSRD requires double materiality. ISSB focuses on financial materiality but increasingly acknowledges the feedback loop between impact and financial risk.
Use a materiality matrix to plot ESG topics by stakeholder importance and business impact. Involve investors, customers, employees, regulators, and community representatives in the assessment. Document the rationale for inclusion and exclusion of topics.
Deliverable: Double materiality matrix with ranked ESG topics, stakeholder input documentation, and board sign-off.
Step 3: Assess Likelihood and Impact Using Scenario Analysis
For each material ESG risk, assess the likelihood of occurrence and the potential impact across financial, operational, reputational, and regulatory dimensions. Use the same risk rating scale as your enterprise risk assessment framework to ensure consistency.
For climate-related risks specifically, IFRS S2 requires scenario analysis across at least two climate pathways (e.g., a 1.5-degree scenario and a 3-degree scenario) to test how physical and transition risks affect strategy and financial position over short, medium, and long-term horizons.
Deliverable: ESG risk register with likelihood and impact ratings, climate scenario analysis outputs, and risk heatmap.
Step 4: Design Controls and Mitigation Strategies
For each high-priority ESG risk, identify existing controls and design additional mitigation strategies. Controls should map to the specific risk driver and link back to the relevant compliance obligation.
Sample ESG Risk Controls by Pillar
| Pillar | Risk Example | Control / Mitigation | KRI |
| E | Carbon transition risk from regulatory carbon pricing | Internal carbon pricing, renewable energy procurement, Scope 1/2 reduction targets | Scope 1+2 emissions intensity (tCO2e / USD revenue) |
| E | Physical risk: flood exposure at critical facilities | Facility risk mapping, insurance review, BCP for flood scenarios | % facilities in high-risk flood zones |
| S | Supply chain labour rights violations | Supplier code of conduct, third-party audits, grievance mechanisms | % Tier 1 suppliers audited in trailing 12 months |
| S | Workforce safety incidents | HSE management system, incident reporting, safety training | LTIFR (lost-time injury frequency rate) |
| G | Greenwashing / misleading ESG claims | Internal controls over ESG data (ICSR), third-party assurance, legal review of claims | ESG data errors per reporting cycle |
| G | Board ESG competency gap | ESG skills matrix, board training, independent ESG advisory | % board members with ESG experience |
Deliverable: ESG control library linked to risks and compliance obligations, gap analysis, and remediation plan.
Step 5: Build ESG Metrics, KRIs, and the Reporting Dashboard
Define key risk indicators (KRIs) and key performance indicators (KPIs) for each material ESG risk. Set amber and red thresholds aligned with your risk appetite statement. Build a single ESG risk dashboard that integrates with your enterprise risk reporting.
Sample ESG KRI Dashboard
| ESG KRI | Owner | Green | Amber | Red |
| Scope 1+2 emissions vs target (% of annual budget) | Sustainability | On track (≤ 100%) | 100–110% | > 110% |
| LTIFR (lost-time injury frequency rate) | HSE | < 1.0 | 1.0–2.0 | > 2.0 |
| Tier 1 supplier audit coverage | Procurement | > 80% | 60–80% | < 60% |
| Gender pay gap ratio | HR | 0.95–1.05 | 0.90–0.94 or 1.06–1.10 | < 0.90 or > 1.10 |
| Board ESG competency (%) | Company Secretary | > 40% | 25–40% | < 25% |
| ESG data assurance findings (critical) | Internal Audit | 0 | 1–2 | > 2 |
| Regulatory ESG breaches (trailing 12 months) | Compliance | 0 | 1 | > 1 |
Deliverable: ESG KRI/KPI register with thresholds, integrated ESG-ERM dashboard, and board reporting template.
Step 6: Report, Assure, and Continuously Improve
Structure your ESG disclosure around the TCFD four-pillar architecture (Governance, Strategy, Risk Management, Metrics and Targets) to ensure compatibility with ISSB, CSRD, and California requirements. Implement internal controls over sustainability reporting (ICSR) using the COSO framework as guidance, treating ESG data with the same rigour as financial data.
Obtain at least limited assurance on key metrics (Scope 1/2 emissions, material social indicators, governance disclosures). ISSB standards require third-party assurance from 2025, with reasonable assurance expected in several jurisdictions within three years.
Establish a continuous improvement cycle: annual materiality reassessment, quarterly KRI reviews, post-incident lessons learned, and regulatory horizon scanning. Feed findings back into your risk register and update controls accordingly.
Deliverable: Annual ESG disclosure report (TCFD-aligned), assurance engagement letter, continuous improvement log, and regulatory readiness tracker.
Seven Common Mistakes in ESG Risk Management
- Treating ESG as a standalone sustainability project. ESG risks are enterprise risks. If they live only in the sustainability team’s domain, they will never receive the board attention, budget, or cross-functional integration needed for effective management.
- Ignoring double materiality. Focusing only on how ESG affects the company (financial materiality) while ignoring how the company affects people and the environment (impact materiality) creates blind spots and exposes you to CSRD and CSDDD non-compliance.
- Using stale or unverified data. ESG metrics require the same data governance as financial reporting. Without internal controls, version management, and third-party assurance, your disclosures are vulnerable to greenwashing allegations and regulatory challenge.
- Skipping scenario analysis. IFRS S2 requires climate scenario analysis across multiple pathways. Organisations that rely solely on historical data miss transition risks that unfold over decades.
- Setting targets without controls. Announcing a net-zero target without mapping the controls, investment, and operational changes needed to achieve it is the definition of greenwashing. Every target needs a credible action plan.
- Ignoring Scope 3 emissions. For most organisations, Scope 3 represents 70 to 90 percent of total emissions. California SB 253 requires Scope 3 disclosure from 2027. Start building the data infrastructure now.
- Disconnecting ESG from risk appetite. ESG risks need the same appetite and tolerance framework as financial and operational risks. Without defined thresholds, the board cannot make informed decisions about acceptable levels of environmental or social exposure.
ESG Risk Management Readiness Checklist
Score each item Yes, Partial, or No to assess your programme maturity.
- ESG risk universe identified across E, S, G categories and full value chain
- Double materiality assessment completed with stakeholder input
- ESG risks integrated into the enterprise risk register (not a separate document)
- Climate scenario analysis conducted across at least two temperature pathways
- Scope 1, 2, and 3 GHG emissions measured and verified
- ESG controls mapped to risks and regulatory compliance obligations
- KRI/KPI framework with amber and red thresholds defined for material ESG risks
- Board-level ESG governance with named oversight responsibility
- ESG metrics linked to executive remuneration
- Internal controls over sustainability reporting (ICSR) implemented
- Third-party assurance obtained (at minimum, limited assurance on key metrics)
- ESG disclosure structured around TCFD four-pillar architecture
- Supplier due diligence programme covers labour rights and environmental standards
- Employee training covers ESG risk awareness and reporting responsibilities
- Continuous improvement cycle with annual materiality reassessment
Scoring guide: 12+ Yes = strong ESG risk maturity. 8–11 = material gaps to address before next reporting cycle. Below 8 = begin with materiality assessment and board governance setup.
Frequently Asked Questions
What is ESG risk management?
ESG risk management is the systematic process of identifying, assessing, mitigating, and reporting risks arising from environmental (climate, pollution, biodiversity), social (workforce, supply chain, communities), and governance (board oversight, ethics, transparency) factors. It integrates these risks into the enterprise risk management framework so they receive the same rigour as financial and operational risks.
What are the main ESG reporting frameworks?
The primary frameworks are ISSB IFRS S1 and S2 (global sustainability and climate disclosure), the EU CSRD with its European Sustainability Reporting Standards (ESRS), GRI Standards (stakeholder-focused impact reporting), SASB Standards (industry-specific financial materiality), and the TCFD four-pillar architecture that underpins most modern ESG disclosure. In the US, California SB 253 and SB 261 are the most significant state-level mandates.
How do you assess ESG risk?
Follow a six-step process: identify ESG risks across your value chain, conduct a double materiality assessment with stakeholders, assess likelihood and impact using scenario analysis, design controls and mitigation strategies, build KRIs and a reporting dashboard, and report with third-party assurance. Use the same risk rating scale as your enterprise risk framework for consistency.
What is double materiality?
Double materiality assesses ESG topics from two angles: financial materiality (how ESG factors affect the company’s financial performance) and impact materiality (how the company’s operations affect people and the environment). The EU CSRD requires double materiality assessment. ISSB focuses primarily on financial materiality but acknowledges the interconnection between the two perspectives.
What is the difference between Scope 1, 2, and 3 emissions?
Scope 1 covers direct emissions from owned or controlled sources (e.g., company vehicles, on-site combustion). Scope 2 covers indirect emissions from purchased electricity, steam, heating, and cooling. Scope 3 covers all other indirect emissions across the value chain, including upstream supply chain, business travel, employee commuting, product use, and end-of-life treatment. For most companies, Scope 3 represents 70 to 90 percent of total emissions.
How do you create an ESG risk register?
Start with your materiality assessment to identify the ESG risks that matter most. For each risk, document the category (E, S, or G), value chain position, risk description, likelihood, impact, existing controls, residual risk rating, KRIs, risk owner, and linked regulatory obligation. Integrate ESG risks into your enterprise risk register rather than maintaining a separate document, so they receive the same governance, reporting, and board visibility as financial and operational risks.
Sources
- EBA Final Guidelines on the Management of ESG Risks (Jan 2025)
- ISSB IFRS S2 Climate-related Disclosures
- COSO ERM Framework
- COSO Guidance on Internal Control over Sustainability Reporting (ICSR)
- SASB Standards (ISSB)
- Harvard Law School — 2025 Global Sustainability Reporting Trends
- DFIN — ESG Trends 2025 and What to Expect in 2026
- Councilfire — ESG Reporting and Compliance: 2026 Strategic Guide
- Deloitte — Comparison of Sustainability Reporting Requirements (May 2025)
- Seneca ESG — ISSB New Standards 2025
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.